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PCI Compliance 
Getting Started Guide 


Qualys PCI provides businesses, merchants and online service providers with the easiest, most cost 
effective and highly automated way to achieve compliance with the Payment Card Industry Data 
Security Standard (PCI DSS). This standard provides organizations with the guidance needed to ensure 
that credit cardholder information is kept secure from possible security breaches. 


Qualys PCI is the most accurate and easiest to use tool for PCI compliance testing and reporting for 
certification. Qualys is an Approved Scanning Vendor (ASV). 
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Network Scanning 


Per PCI DSS v3.0 requirement 11.2.2, merchants are required to perform quarterly external vulnerability 
scans via an Approved Scanning Vendor (ASV). Every part of cardholder data system components needs 
to be scanned. Using the PCI module you can meet the external network scans requirement. 


You are responsible for adding IP assets to your PCI account for all in-scope infrastructure for the PCI 
DSS external network scan requirement. To see the IP assets in your account go to Account > IP Assets. 
You can add IP addresses up to the total IPs purchased. 


Check Scanner IP Addresses Before Scanning 


Only IPs that are accessible from the Internet are scanned by the Qualys PCI service. The service 
automatically provides multiple scanners for external (perimeter) scanning, located at the Security 
Operations Center (SOC) that is hosting the PCI compliance service. Depending on your network, it may 
be necessary to add the scanner IPs to your list of trusted IPs, so the service can send probes to your in- 


scope system components. 


The scanner IPs are: 64.39.96.0/20 (64.39.96.1-64.39.111.254), 139.87.112.0/23 (139.87.112.1- 
139.87.113.254) 
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Define Your In-Scope Infrastructure 


Click the Asset Wizard button on your Home page (or go to Account > IP Assets and select the wizard). 
The wizard helps you define the in-scope infrastructure for the external network scan. You must add to 
your account all Internet-facing IP addresses and/or ranges. If you have domains that host in-scope PCI 


infrastructure you need to add these domains to your account. 


Start Scan Asset Wizard 


Q Your Network Scans a 


Scan History All Vulnerabilities 


Important! The wizard prompts you to confirm scans can be performed without interference. The 
service provides multiple scanners for external (perimeter) scanning and lists the scanner IP addresses. 
Depending on your network, it may be necessary to add the scanner IPs to your list of trusted IPs. 


Start an External Network Scan 


Click the Start Scan button on your Home page (or go to Network > New Scan). 


Q Your Network Scans a 


Start Scan Asset Wizard 


Scan History All Vulnerabilities 


Tip — You may have already run an external PCI network scan using Qualys VM and then shared this scan 
with the PCI module. In this case you’re ready to run reports and complete certification steps. Jump 
ahead to the section “Create Network Reports for Certification” later in this document. 
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Next you’ll see the New Scan page. Select your scan settings and click OK. 
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New Scan Ss 


Scan Settings 
* Title: My External Network Scan 
* Bandwidth: | Medium x| Info <{—— 
* Target IPs: © AIl IPs 4—2 


J Select IPs 


* Launch ® Launch Now 4—— 3 


Ð Schedule for Later 


OK Cancel 


1) The bandwidth represents a set of scan performance settings. We recommend Medium to get 
started. Click the Info link to understand the settings. 


2) Choose to scan All IPs in your account or just certain IPs. Tip — To meet PCI compliance all the IPs in 
your account must be scanned and there can be no detected PCI vulnerabilities on any IPs. If you have a 
large number of IPs that must be compliant, you may want to scan a few IPs at a time to help you with 
the remediation process. 


When enabled by admin, you can choose to scan by All DNS hosts or just certain DNS hosts. Scan by DNS 
supports scanning DNS hosts that resolve to unique IP addresses. If you want to scan DNS hosts that 
resolve to same IP address, use Split Targets option. You can add a maximum of 500 DNS hosts if you 
want to scan DNS hosts using Split Targets option. Note that your scan time will increase if you select 
this option. 
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Scan Settings 


Title: * My Scan 
Bandwidth: * Medium v| Info 
Asset Type:* Ojp 

@pns 


Split Targets:* |No v 


Select this option ONLY if you want us to scan DNS hosts that resolve to same IP addresses. Note that this option will increase your scan time. 


DNS Asset 


O All DNS 
@ Select DNS 


cmacbb.com, cmamcb.com, cmbaoo.com, cmbbca.com, cmcbcb.com, cmcbcc.com, cmmabo.com, cmmbco.com, 
cmmcac.com, cmmcbb.com, cmmceca.com 


Select DNS 
Download DNS 


* Launch @ Launch Now 
O Schedule for Later 


OK Cancel 


To add DNS hosts to your account, go to Account > DNS Hosts and click New. See Configuring Virtual 
Hosts if you wish to scan the domains associated with an IP address, possibly increasing the number of 
vulnerabilities detected. 
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LI) Resources 


3) You can schedule the scan to run later or on a regular basis — daily, weekly or monthly. We 
recommend you set up a schedule so you'll receive vulnerability scan results on an ongoing basis. 


Once the scan is launched you can monitor the scan progress by going to Scan Results. 
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Your scan has been successfully launched. You can monitor the status of the scan on 
the Scan Results section. To generate a PCI compliance report to submit to your bank, 
you need to go the the Compliance Status section. 


Go to Scan Results Go to Compliance Status 


Return to the Scan Results section to see Once the scan is finished you can go to 

the status of the scan and to download the Compliance Status section to 

the results once it is finished. generate a PCI compliance report to 
submit to your bank. 
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[=] Web Applications ~ Scan Details 
[F Questionnaires bi Title: My External Network Scan 
ê Account - Started On: 08/28/2012 at 18:03:52 
@ Contact Support Launched By: Jason Kim 
Duration: 00:09:22 
O SS Active Hosts: 2 
Type: On Demand 
Bandwidth: Medium 
Scan Status: Finished 
10.10.25.100, 
—- 10.10.25.112 


What does the scan status Importing mean? Importing means a user requested to share an external PCI 
network scan using the VM module and the service is importing this scan. Once complete, the status will 


change to Finished and any of the scanned IPs not already in your PCI account will be added. 


Configuring Virtual Hosts 


Your account may be configured to allow you to add/remove virtual hosts to scan. A virtual host 


configuration consists of the IP address of the virtual host, the port number to be associated with the 
hosted domain, and the domain name (FQDN) to be hosted by the IP address. To add virtual host, go to 
Account > Virtual Host. Click New to add new virtual hosts. When adding multiple virtual hosts, separate 


each one with a line break. 

Formats: 

FQDN:Port:IP 

FQDN:Port:IP/Path 

For example: 
www.merchantA.com:2020:194.55.109.1 
www.merchantB.com:2020:194.55.109.1/path2 


www.merchantC.com:8080:194.55.109.1 
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Add Virtual Host 


Virtual Hosts 


Enter Virtual Host in the field below: 


www.merchantA.com:2020:194.55.109.1| 


ic) 


A 


Example: www.example.com:port:ipaddress or www.example.com:port:ipaddress/path and multiple virtual hosts should 
be separated by line break. 
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View Current Vulnerabilities and Fix 


PAN 
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4 Home Current Vulnerabilities Compliance Status > 

SEARCH BY IP ADDRESS || FILTER RESULTS POTENTIAL SEVERITY LEVEL || ACCOUNT SUMMARY 

Enter one or more IP addresses and/or IP i F] Hi F — i 

: | ID, Vulnerability Title or Hostname High Med Low i 
me aeaa | | Ob When o D - 
Search for IP Address : | M1 Display only PCI Fail Vulnerabilities f 
i i 0 


Clear | Find IP Address | : Aggro OERE ii EXP [E] High E Med M] Low 


Hide Filters 
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Review 1 False Positive | Download All + 


Current Vulnerabilities 


Vulnerability Title Severity 

lal NetBIOS Shared Folder List Available E HIGH 
Quo: 70001 GS 

m Microsoft Windows Remote Desktop Protocol Server Pri [m HIGH 
QID: 90250 

O Microsoft Windows Server Service Could Allow Remote E HIGH 
QID: 90464 

E] Microsoft SMB Remote Code Execution Vulnerability (M£ E HIGH 
QID: 90477 — 

A C= ao m HIGH 
QID: 90527 


QID: 105449 


i 4 a i 


EOL/Obsolete Operating System : Microsoft Windows S E HIGH 
QID: 105340 
EOL/Obsolete Operating System : Microsoft WindowsS [fw HIGH 


IP Address 


10.10.25.100 ^ 
2k3sp1-25-100.pi 


10. 10.25.112 
2k8sp0-25-112.2% 


10. 10.25. 100 
2k3sp1-25-100.p 


10. 10.25. 100 
2k3sp 1-25-100.pi| 


10. 10.25.112 
2k8sp0-25-112. 2 


10. 10.25. 100 
2k3sp1-25-100.pi 


10. 10.25.112 
2k8sp0-25-112. 2% 


r 


Rescan to Verify Vulnerabilities are Fixed 


Vulnerability Details 


QID: 

Severity: 

CVSS Base: 
CVSS Temporal: 


PCI Compliance 
Status: 


Category: 
Port/Service: 
False Positive: 


Bugtraq ID: 
CVE ID: 


Vendor Reference: 


Last Update: 


Microsoft Windows Remote Desktop Protocol 
Remote Code Execution Vulnerability (MS12-020) 


10.10.25.112 
2k8sp0-25-112.2k8sp0.patch.ad.vuln.ga.qualys.com 


90783 

5 SERRE 

9.3 AV:N/AC:M/Au:NIC:CI-CIA:C 
7.7 E-FIRL:OF/IRC:C 


FAIL © 
CVSS basescore of 4.0 or greater results in an automatic failure. 


Windows 
-/ Windows 
NIA 


CVE-2012-0002 , CVE-2012-0152 
MS12-020 
03/29/2012 at 17:35:31 
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M Home Scans 

Network -| |@NewScan Q Search 4 4[1-10F1 [2] > > S] 
nn” NE] 
ae © ®@ a wm) My External Network Scan Finished 08/28/2012 a) 
Scheduled Scans X 
Scan Results ba 
Vulnerabilities 
False Positive History 
Open Services Report 

@ Compliance ~ 
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False Positive Requests 


It’s possible after fixing all vulnerabilities, as defined by the PCI DSS compliance standards, that you have 
an issue that doesn’t seem to apply to the host. In this case, you may request an exception that will be 
considered by us as a false positive. Before making this request, complete all remediation steps to fix 
vulnerabilities by following these guidelines: 


1) Work with your system administrator to fix all vulnerabilities in your scan results using the 
recommended solutions. A custom solution is provided for each detected vulnerability. 


2) Before you submit a false positive, be sure to fix all vulnerabilities except the false positive issues. 
Your last rescan should show only the false positive issues. 


If you believe that the PCI compliance service has identified a false positive in your scan, submit your 
false positive request by going to Network > Vulnerabilities. Select the check box next to vulnerabilities 
you want to submit and then click “Review False Positives”. A Technical Support representatives will 
work with you to confirm the issue is indeed a false positive. Once approved, the false positive is 
approved for 90 days and this will not appear in your vulnerabilities list or your reports. 


Secure Web Applications 


Per PCI DSS v3.0 requirement 6.6, merchants are required to perform scans of public-facing web 
applications and review detected vulnerabilities. Using the PCI module you can meet the web 
application scans requirement. Note that web application scanning is available when this option is 
turned on for your subscription. Please contact your Account Manager or our Support Team if you 
would like to use this option. 


You are responsible for adding web applications to your PCI account for all in-scope applications for the 
PCI DSS requirement. To see the IP assets in your account go to Account > Web Applications. You can 
add web applications up to the total applications purchased. 


Add Your Web Application 


To add a web application to your account, go to Account > Web Applications and click the New link. 


Payment Card Industry Compliance Jason Kim [Sports Shop, Inc.] | Help | Log Out 
Home Web Applications 
TẸ Network ~|| @ New [Ñ Search 4 4\ lb bs 


cosas Scan Details Edit Title Site Update Date 


(=) Web Applications 
EF Questionnaires No data was found 
@ Account 
Settings 
IP Assets 
Web Applications 
Users 
@ Contact Support 


LL) Resources 


a a eee ae ot a ee a ae ee a dee | i 
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Enter the web application settings and click Save. Tip — Click Help on the top menu bar for guidance. 


New Web Application 


Web Application Details 


* Title: Demo Web Application 
hi 10.10.26.238 
Enter full domain name (FQDN) e 

* Port: 80 

* Starting URI: | / 

Blacklist: 

Use the blacklist to a tential disru s ir application. Check online help for more details 
Authentication Records 


You must save the new web application before you can add authentication records. Edit the web application to add records. 


Save Cancel 


What are authentication records? Authentication to HTML forms is optional but may be required to scan 
your web application. These authentication techniques are supported: HTTP Basic server-based 
authentication and simple form authentication. If authentication to the web application is required add 
one or more authentication records by editing the web application. 


Start a Web Application Scan 


On the web applications list, click the Scan link next to your web application. (Or you can go to Web 
Applications > Scans and click New Scan.) 


Web Applications 


| © New Search di 4j1-10f1|z|> > S| 


Update Date 


Scan Details Edit Title Site 


Scan © Ej Demo web Application 10.10.26.238 09/06/2012 


"i 


Choose your scan settings. Want to use authentication? Select an authentication record already defined 
for your web application. Then click OK to start the scan. 
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New Web Application Scan 


Your scan will 


Scan Settings 


* Title: 
* Application: 
Authentication Record: 


* Form Submission: 


My Web Application Scan 
Demo Web Application 
Demo App - Form Authentication 


Disallow Forms 


Maximum links to crawl: | 300 


= 


appear under Web 
Applications > Scan 
Results where you 
can track its 
progress and 


Limit crawling to starting URI d own | oa d th e 
Bandwidth: Medium m| Info 
Crawl Only (do not conduct web vulnerability tests) resu Its A 
Advan tion: 
Scan Date 


® Launch Now 


© Schedule for Later 
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OK Cancel 
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Submit Compliance Status 


nt Card Ind hop, Inc.] | Help | Log Out 
Home 
= Sa = Your Network Scans Quick Answers 
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6 Comphance Compliant Start Scan Asset Wizard ETNEA 
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P44 Questionnaires 
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What IP addresses do | need to 
scan? 


What steps do | take after | scan? 


How do | generate reports? 


Scan Hist All Vulnerabilt jiii 
can History ulnerabilities Questionnaires 


Who needs to complete a 
questionnaire? 


Self-Assessment Questionnaire 
Completed 


How many questionnaire versions 


SAQ Wizard avo thers? 


How do | complete a questionnaire? 
General 


How do | change my login 
credentials? 


Last Submitt 


All Questionnaires 


Create Reports for Certification 


You are ready to create network reports when the Compliance Status shows that the number of hosts in 
your account matches the number of hosts that are compliant. In the example below there are 2 hosts 
in the account and 2 hosts that are compliant. 
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@ Home Compliance Status 


= Network x 
> = tatus Hosts Vulnerabilities Potential Vulnerabilities Actio 
(@ Compliance ~ 


Compliance Status 


| 
In Account: 2 B HIGH 0 B HIGH 0 T | 
Submitted Reports Not Live: 0 apes š — 
5 Web Applications © Compliant: 2 = 0 Epe 
la Questionnaires © Not Compliant: 0 | 
@ Account © Not Current: tinea 0 = 


(o) Contact Support 


To create your reports, click Generate (under Actions) and simply follow the steps in the report 
generation wizard. Your reports will appear on the submitted reports list. 


Next steps: 
1) Preview the reports online in PDF format for completeness and accuracy. 


2) Request a review from your Approved Scanning Vendor (ASV) using the report wizard or from the 
submitted reports list. You will receive an email with the review status (approved or rejected). 


3) Once approved by the ASV, the report is considered certified and can be submitted to your acquiring 
banks for PCI certification. 
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Auto-Submit to Acquiring Banks 


The Qualys PCI auto-submission feature allows you to submit compliance status directly to your 
acquiring banks. Entering your bank and merchant IDs in your “Account Settings” activates the auto- 
submission feature. You can also download PCI compliance reports in PDF to submit to your acquiring 
bank(s) or use to assist in remediation efforts. 


Go to Compliance > Submitted Reports and click the Submit link. 


@ Home Submitted Reports a 
zee ~ | | Delete || Q Search 4 4|1-100f38 [x] > DS 
a i 
Compliance Stai a z 
TEES © E E Attested Submit My Network Report 9/2015 09/01/2015 
Submitted Report: = e 
> © g (E Pending Review 07/21/2015 
{=| Web Applications =| |= = m 
© g (@ Generated Request Review 06/30/2015 
[ð Questionnaires - - 
ri ® o E Submitted PCI 05/29/2015 
@ Account ~ = 
(9) e B Generated Request Review 04/21/2015 = 


@ Contact Support 


M Resources 


PCI Bank Service 


We offer our PCI Bank service to acquiring banks. When your bank has signed up you can submit your 
compliance status to them directly, without having to send it manually via email or other means. A bank 
representative gets a PCI Bank account and logs in to our PCI Bank application where they get a view of 
your compliance status and direct access to your submitted reports. 
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M Home Manage Merchants 
ĝ Merchants Download Al || Q, Search d 4 1-20f2lx| > PF) 
ĝ Account Details Status Merchant Name A Level Status Expiration Total Hosts Partner 

® © — Merchant 1234 1 08/27/2015 9 Qualys, inc. 

© So Merchant ABCD 3 04/19/2012 15 Qualys, Inc. 


Merchant 1234 © 


Download 
Compliance Overview 
Status Submit Date Next Due Date Dome cores pha monr 
Questionnaire © Compliant 0410712015 04/06/2016 (ete ale Ee 


and view attached evidence. 


Hosts Vulnerabilities Potential Vulnerabilities | Evidence O)| 


Scan © Not Compliant 05/29/2015 Overdue 


etini 2 US Lg ball ga Download PDF files ofthe most 
Not Live: 0 m meo | 127 m MED 103 recently submitted network scan 
Compliant © A Te — status report 

6 mLOW 34 LOW 20 


Not Compliant © 
Not Current tine 1 a) 


Can a bank user log in to a merchant account? No, bank users do not have access to merchant 
accounts. 
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Looking for More Information? 


Check out these references to help you meet PCI Compliance requirements. 


Qualys Community: How to Satisfy the New PCI Internal Scanning Requirements 
https://community.qualys.com/docs/DOC-3923 


PCI Security Standard Council 
https://www.pcisecuritystandards.org/ 


PCI Data Security Standards 
https://www.pcisecuritystandards.org/security_standards/index.php 


PCI DSS: Self-Assessment Questionnaire 
https://www.pcisecuritystandards.org/merchants/self_assessment_form.php 


PCI Security Standards Documents 
https://www.pcisecuritystandards.org/security_standards/documents.php 
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